How to Block Access Based on GeoIP on CentOS 7

If you are using Ubuntu, you can find similar guidance here: How to Block Access Based on GeoIP on Ubuntu.

In this guidance, I am using CentOS 7 with kernel 3.10 and xtables-addons 2.14. The latest release of xtables-addons when this article was written is version 3.9. However, the kernel and iptables versions on CentOS 7 do not match the minimum requirements with the latest version. So, the version of xtables-addons that matches the kernel 3.10 is version 2.x.

1. Install dependencies

yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget

2. Download and extract xtables-addons

cd /tmp/
wget -c https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.14.tar.xz
tar -xvf xtables-addons-2.14.tar.xz

3. Disable Tarpit

cd xtables-addons-2.14
vi extensions/Kbuild

Put a comment in the line below

#obj-${build_TARPIT}      += xt_TARPIT.o

if you don’t give a comment, you will see errors like below

In file included from include/uapi/linux/netfilter_ipv6.h:11:0,
                 from include/linux/netfilter_ipv6.h:10,
                 from /tmp/xtables-addons-2.14/extensions/xt_TARPIT.c:45:
include/linux/netfilter.h:250:1: note: declared here
 NF_HOOK(uint8_t pf, unsigned int hook, struct sock *sk, struct sk_buff *skb,
 ^
make[4]: *** [/tmp/xtables-addons-2.14/extensions/xt_TARPIT.o] Error 1
make[3]: *** [_module_/tmp/xtables-addons-2.14/extensions] Error 2
make[3]: Leaving directory `/usr/src/kernels/3.10.0-1127.13.1.el7.x86_64'
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/tmp/xtables-addons-2.14/extensions'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/xtables-addons-2.14'
make: *** [all] Error 2

4. Compile and install xtables-addons

./configure
make
make install

5. Enable module xt_geoip

modprobe xt_geoip

6. Create directory GeoIP

mkdir /usr/share/xt_geoip/

7. Download GeoIP databases

wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

8. Create iptables rules

iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -s IP-OF-MY-ZIMBRA -j ACCEPT
iptables -A INPUT -m geoip ! --src-cc ID -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

If you want to allow another Country Code, use a comma. For example. I want to allow Singapore Country Code too

iptables -A INPUT -m geoip ! --src-cc ID,SG -p tcp -m multiport --dport 80,110,143,443,465,587,993,995,7071 -j DROP

9. IPtables persistent

To make iptables rules auto load when booting, please install iptables-services

yum install iptables-services

10. Save, enable autostart and restart

service iptables save
systemctl enable iptables
systemctl restart iptables

11. Auto-update databases

Create crontab to update GeoIP databases every night

30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

Now, you can try to access your Zimbra from another Country code. You can use this tool to check port: https://mxtoolbox.com/TCPLookup.aspx or this one: https://www.yougetsignal.com/tools/open-ports/

Now, I can only access my Zimbra from Indonesia (or Singapore).

Good Luck